Bridge Mode and Passthrough - Why are they used and what are the differences?
Bridge Mode and Passthrough - Why are they used and what are the differences?
Misuse of terms
Before we get started, it's important to note that the misuse of these terms is common with Comcast and Spectrum.
Comcast and Spectrum often refer to Passthrough mode when what they really mean is a certain configuration of the modem's settings to remove all restrictions on inbound and outbound traffic for the Public IP subnet. They typically are correct in their use of Bridge mode.
Important Related Articles
- What are bridge and passthrough modes?
- What are differences between gateway and router?
- What is Network Address Translation (NAT)?
Bridge Mode
The ISP gateway is configured to allow its Public dynamically assigned IP address to be used on a customer owned managed Firewall or Router. By enabling the bridge mode, router function (layer 3) is essentially disabled and the gateway functions as a modem (layer 2).
- Used only with Dynamically assigned Public IP addresses
- DHCP will deliver ONE public IP from the modem/gateway to the client's Firewall or Router
- Zero filtering on inbound and outbound traffic
- ISP Gateway cannot be remotely accessed by their support team unless it is reset to factory defaults
- Incompatible with Local IP assignment via DHCP
- Incompatible with Public Static IP

This is NOT a recommended configuration. If the ISP replaces the modem, we may lose access to the Firewall. Some of our clients do have this configuration along with a DDNS setup. If the client has a WatchGuard firewall, we should either move them to a static IP or cloud management so Bridge Mode can be disabled.
IP Pass-through / Passthrough
Used to pass a Static Public IP address to a customer owned managed Firewall or Router. IP pass-through works essentially the same as the bridged mode where customer can use their own router behind the ISP-provided gateway.
- Used only with Statically assigned Public IP addresses
- DHCP will deliver ONE public IP from the modem/gateway to the client's Firewall or Router
- Filtering of traffic by the ISP gateway is possible and their firewall should be fully disabled for the Public IP subnet
- Can be compatible with Local IP assignment via DHCP
- Allows the ISP to connect to the gateway for updates and troubleshooting
Input:
Provide thorough definitions and overview of IP passthrough and bridge mode as it relates to ISP Gateways and client firewalls. Include related information on dynamic IP vs static IP.IP Passthrough vs. Bridge Mode in ISP Gateways and Client Firewalls
When configuring an ISP-provided gateway to work with a client firewall or router, two commonly used modes are IP Passthrough and Bridge Mode. Understanding these modes is crucial for setting up a network correctly, ensuring proper routing, and avoiding double NAT issues.
1. IP Passthrough
Definition
IP Passthrough is a feature commonly found in ISP-provided routers or modems that allows a single device (typically a firewall or a separate router) to receive the public IP address assigned by the ISP. This effectively makes the ISP gateway act as a simple modem, forwarding all traffic to the designated device without performing NAT (Network Address Translation).
How It Works
- The ISP assigns a public IP address to the ISP gateway.
- With IP Passthrough enabled, the gateway forwards that public IP address directly to a single connected device (usually the client firewall or router).
- The device receiving the public IP is responsible for routing and firewall functions.
- The ISP gateway itself continues to have an internal private IP for management purposes but does not route traffic.
Use Case
- When a business or advanced home user has a dedicated firewall (e.g., a Cisco ASA, Fortinet, Palo Alto, or pfSense firewall) and wants full control over network security and routing.
- When avoiding double NAT (Network Address Translation), which can cause connectivity issues with VPNs, VoIP, and certain applications.
Key Considerations
- Typically, only one device can receive the public IP.
- Some ISPs limit the ability to use IP Passthrough unless the customer has a static IP or a business account.
- If the ISP changes the public IP dynamically, the firewall must be configured to handle DHCP-assigned WAN IPs.
- Some ISP routers may still interfere with certain traffic (e.g., block ports, impose firewall rules) even in passthrough mode.
2. Bridge Mode
Definition
Bridge Mode is another configuration method that disables the ISP gateway’s routing and NAT features, making it function purely as a pass-through device (essentially a modem). This mode allows the customer's firewall or router to take full control over network operations.
How It Works
- The ISP gateway disables all routing features, including NAT, DHCP, and firewall functions.
- The firewall or router directly handles the public IP address assignment, routing, and security policies.
- All network traffic flows transparently between the ISP and the client network.
Use Case
- When a static IP block (multiple public IPs) is provided and must be assigned to different devices inside the network.
- When a business-class firewall is used that requires complete network control.
- When using a third-party router instead of the ISP’s equipment.
- In scenarios where multiple public IP addresses need to be assigned to different internal devices.
Key Considerations
- Not all ISP gateways support full bridge mode. Some still retain limited firewall rules or DHCP capabilities.
- If misconfigured, the ISP router could cause double NAT, leading to performance and connectivity issues.
- With bridge mode enabled, the ISP router loses all routing capabilities, meaning all routing and firewalling must be done on the client-side device.
- In some cases, customer support from the ISP may be limited if bridge mode is enabled.
3. Dynamic IP vs. Static IP in the Context of ISP Gateways and Firewalls
Dynamic IP Address
- Assigned automatically by the ISP (via DHCP).
- Changes periodically (e.g., daily, weekly, or when the modem reconnects).
- Often used for residential and small business customers.
- Requires Dynamic DNS (DDNS) services if hosting public-facing services (e.g., VPN, web server).
Static IP Address
- Fixed, does not change (unless manually reassigned by the ISP).
- Required for businesses running servers (e.g., mail servers, web servers, VPNs).
- Essential for remote access, site-to-site VPNs, and VoIP systems that require consistent addressing.
- Usually an additional cost from the ISP.
- If using a block of static IPs, they can be assigned in Bridge Mode to different internal devices.
Comparison Table: IP Passthrough vs. Bridge Mode
Feature | IP Passthrough | Bridge Mode |
---|
Purpose | Assigns public IP to a single client device | Disables ISP router functions entirely |
NAT Functionality | Disabled for 1 device; ISP router still active internally | Completely disabled |
Firewall Control | Firewall/router handles security | Firewall/router handles security |
Public IP | Assigned to a single device | Can assign multiple static IPs (if provided by ISP) |
Best for | Avoiding double NAT while keeping ISP device operational | Full control over routing and firewalling |
Potential Issues | May still have ISP restrictions | Some ISPs do not allow true bridge mode |
Commonly Used For | Home or small business setups with a single firewall | Businesses with static IP blocks, advanced routing needs |
Conclusion
Both IP Passthrough and Bridge Mode allow better integration between an ISP gateway and a client’s firewall/router, but they serve slightly different purposes.
- Use IP Passthrough if you only need a single public IP on your firewall/router while keeping the ISP gateway operational for basic connectivity.
- Use Bridge Mode if you have a static IP block or need complete control over routing, and your ISP supports full bridge functionality.
Proper configuration depends on ISP limitations, network needs, and whether you are using a dynamic or static IP.
Provide thorough definitions and overview of IP passthrough and bridge mode as it relates to ISP Gateways and client firewalls. Include related information on dynamic IP vs static IP.
Related Articles
Speed Issues and Speed Test Best Practice
Use a remote session or have the customer navigate to one of the links below depending on the connection type. Test speed for cable or DSL connections by using www.speedtest.net For AT&T fiber test using https://www.att.com/support/speedtest/ ...
How to Find Your IP Address on Windows, Mac, iPhone, & Android
IP Addresses - Local & Public Related Links How to find my MAC address Overview What’s my public IP address? Assigned by your Internet Service Provider (ISP) and your gateway or modem. It’s how they determine which customer is requesting which ...
USB C Video Output and Dock Compatibility
USB C Video Output: To support video output via USB C, the host device must support Power Delivery and DisplayPort Alt Mode or USB-C 3.1 (generation 1 or 2) To support 4K@60Hz, your laptop must support DisplayPort 1.4. USB Hubs and Display Link for ...
Outlook Calendar Sharing and Permissions
Outlook Calendar Sharing and Permissions Video Calendar Permission Levels Can view when I'm busy - People you share with can only see the times you've blocked out as busy. Can view titles and locations - People you share with can see the titles and ...
Set your Default Printer in Windows 10
In Windows, you can change your Default Printer in two locations: Windows Settings 1. Click Start: 2. Click Settings: 3. Click Devices: 4. Click Printers & Scanners 5. Choose the printer you want to be your default by clicking it in the list, then ...